Antisec releases over a million Apple #UDID after Java-enabled FBI breach

Consumerisation worries public sector IT managers

Over a million Apple Unique Device Identifiers (UDIDs) have been posted online after hackers claimed to have obtained them from an FBI breach.

In a lengthy statement, the AntiSec hacking group said it had 1,000,001 Apple Devices UDIDs linking to their users and their push notification service tokens. It said: “The original file contained around 12,000,000 devices. We decided a million would be enough to release. We trimmed out other personal data [such] as, full names, cell numbers, addresses, zipcodes, etc. Not all devices have the same amount of personal data linked.

“Some devices contained lot of info. Others [had] no more than zipcodes or almost anything. We left those main columns we consider enough to help a significant amount of users to look if their devices are listed there or not. The DevTokens are included for those mobile hackers who could figure out some use from the dataset.”

It then went on to say that it ‘never liked the concept of UDIDs since the beginning' and said it was a ‘really bad decision from Apple'.

As for why it was exposing this personal data, the profanity-ridden release said that it had issue with the FBI ‘using your device info for a tracking people project' and wanted people to be aware of the FBI using people's device details and information.

It said: “Looking at the massive number of devices concerned, someone should care about it. Also we think it's the right moment to release this knowing that Apple is looking for alternatives for those UDID currently and since a while blocked axx to it, but well, in this case it's too late for those concerned owners on the list. We always thought it was a really bad idea. That hardware coded IDs for devices concept should be erradicated from any device on the market in the future.”

It said that it came by the data after a Dell Vostro notebook, used by an FBI supervisor special agent was breached using the ‘Atomic Reference Array' vulnerability in Java.

The statement said that during the shell session, some files were downloaded from the users's desktop folder and one had the name ‘NCFTA_iOS_devices_intel.csv' which was a list of 12,367,232 Apple iOS devices that included UDIDs and personal details.

Andrew Storms, director of security operations for nCircle, said: “Since AntiSec removed all the personal data from the data they released, this hack doesn't present much risk to end users. UDIDs in isolation aren't a big deal. In fact, Apple used to permit apps to spew UDIDs all over the place, so there's a lot of UDID data already in the public domain. For a while, there were a lot of apps using UDID and personal data to track users activity and selling it to advertisers.

“This release does make you wonder what the heck the FBI and the DOJ were doing with 12 million UDIDs. Are they working on a case involving Apple or an app maker? And, assuming there is a legitimate reason for the FBI to have this data, why wasn't it better protected?”

An article by the Guardian suggested that the hackers did not obtain the Apple UDID from a federal laptop. It quoted an FBI statement which said: "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

Rob Rachwald, director of security strategy at Imperva, said he suspected that the breach was real as the FBI agent that was supposedly breached is real and the database that was breached seems authentic.

“However, the structure and format of the data indicates that this is a real breach. It would be hard to fake such data,” he said.

“If the hackers have what they claim, they may be able to cross reference the breached data to monitor a user's online activity, possibly even a user's location. To be clear, the released database is sanitized so you cannot perform this type of surveillance today. But with the full information that hackers claim to have, someone can perform this type of surveillance. This implies that the FBI can track Apple users.”

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.